1. Field of the Invention
The present invention is directed generally to chip cards and more specifically to a chip card with the capability of inhibiting remote interrogation of the card.
2. Description of the Related Art
Plastic cards that contain a semiconductor chip (i.e., chip cards, smart cards, intelligent chip cards etc.) are being increasingly utilized in the marketplace. The chips function as data storage devices, microprocessors, input/output modules and much more. They serve purposes such as telephoning, parking, paying for goods and services, conveying credits, controlling access, acquiring time, etc. In their many-faceted embodiments and, in particular, as multi-application cards (cards which are capable of handling a plurality of functions on a single card), these cards allow the storing of personal data. The data on a card provides information about the owner of the card and the card owner's behavior.
Chip cards are mainly known in two technical embodiments, contact cards (voltaic cards) and contact-free (non-voltaic) cards. Contact cards require voltaic contacts at their surface for faultless functioning. Contact-free cards forego these contacts and contain transmission coils, capacitor plates or optical elements for transmitting energy and/or data. The energy required for the operation of the card can be acquired from a battery, particularly a battery located in the card.
There are two embodiments of contact-free chip cards; international standardization is underway for both of these embodiments. Close-coupled cards, for example C2.RTM. CARDs, should only be usable over short distances according to ISO 10536. Other cards (remote-coupled cards) work in a different way and can be used over greater distances. The standardization of these remote-coupled cards is still in its infancy. The discrimination between contact-free cards is gaining increasing significance because of the problem of unnoticed access to the card. Table 1 provides a rough overview of the conditions with respect to the usability of the various cards at different distances.
TABLE 1 ______________________________________ Type Contacted Contact-Free ______________________________________ Standard ISO 7816 ISO 10536 No Standard Usability (remote-coupled) close + + + far - - + ______________________________________
It is virtually impossible when the voltaicly contacted card is used for a means to gain access to the content of the card, without being noticed, as long as the owner has control of the card. However, the conditions are entirely different with contact-free cards. The content of such cards can be accessed without an electrical connection between the card and the terminal device, i.e., wirelessly (contact-free) by definition. Such contact-free cards operate, for example by way of electrical coupling, magnetic coupling, electromagnetic radiation, lightwaves, microwaves, acoustic transmission or combinations of these principles. Thus, the access of the terminal device to the content of the card can be beyond the control of the card owner in these cases. Fundamentally, the terminal device can access the content of the card unnoticed.
Since the data in the remote-coupled card can be accessed both in a terminal device (terminal), as well as from a greater distance outside the terminal, a discrimination between close-coupled chip cards on the one hand and remote-coupled chip cards on the other hand functions properly only when the close-coupled cards necessarily preclude access from a distance.
Contact-free cards contain a chip embedded in the carrier material in a way that cannot be manipulated. Also, contact-free cards have a longer service life than voltaicly contacted cards. Specific embodiments of contact-free cards offer the ergonomic advantage that they can be operated at the terminal without taking into consideration the geometrical orientation of the four different operating positions along the card's longitudinal axis. Most likely the use of the contact-free chip cards will become widespread in addition to that of the voltaic chip card, and advantages will accrue therefrom for the user of the contact-free card.
Card issuers counter the disadvantage of unnoticed access to data of contact-free cards with the argument that their cards allow "remote transmission" only from a limited, small distance. The range is allegedly limited in the manner desired. The counter-argument thereto is that the range can be arbitrarily expanded, within the technologically-possible limits, after an adequate boost of the intensity of the information carrier output by the transmitter. The limits between near operation and remote operation are therefore blurred. The unauthorized manipulation of the card by manipulation at the transmitter cannot be precluded in a documentable fashion. The range of the data traffic is only limited by the intensity of the transmitting medium and can be made arbitrarily great within the scope of feasible technology.
Another argument is that encoding of the data traffic between the card and a specific terminal can protect against unnoticeable access to the data in the card. The counter-argument thereto is that not only does a stolen or simulated terminal likewise meet the function thereof, but that the afore-mentioned boost in intensity can again be used. The encoded data traffic can also occur remotely and the encoding thus has no value as a protective mechanism.
Particular purveyors of products or services--especially banks that accommodate credits or lines of credit on cards of the type under consideration here, have special problems. For instance, such banks can only assume responsibility for the proper condition of the card information content when the card necessarily must be physically inserted into a terminal for processing. The terminal must also be capable of retaining the card when necessary as soon as an error in the processing is found. It is unlikely that such banks will allow a manner of commercial use that cannot irrevocably and non-manipulably provide such a minimum security level.
Thus, a solution is needed for cards which carry out specific functions only within a range predetermined by the card. Then, this solution can also be applied to other problems of non-contacting data transmission, such as, the parameterizing and interrogation, as well as transmission of data to/from contact-free heart pacemakers.
Two possibilities are known for protecting the owner of a contact-free card against unnoticed access to his card data:
the owner of the card is forced to plug his contact-free card into a terminal because the card does not function outside the terminal; and PA1 the card user can intentionally and consciously withhold the card from contact-free data transmission by actuating appropriate technical means, i.e. by providing an enveloping shield or operating a switch.
As a result of the latter possibility, the owner of the card not only suppresses the potentially undesired remote access, but also the near access desired in a proper use of the card. No unassailable criterion for distinguishing between near and remote operation exists. For making a card inhibited in this way accessible again for desired, authorized near operation, particularly for intentional incrementing or decrementing of credits in a terminal device, of course, the user must either remove the shield or return the switch to the position to provide a response capability.
This cancellation of the inhibit need not be exclusively manually and intentionally required on the part of the owner; it is also conceivable that the terminal automatically cancels the inhibit with technological means. Whether the inhibit is manually or automatically canceled, protection against remote access, particularly such a remote access by attacking with high intensity is then lost.
In the automatic case, the prior art requires shielding the terminal around the card. This, in fact, leads to a defined distinction between near/remote: near is within the shield and remote is outside the shield. Also, no outside operation can overcome this hurdle no matter how great its intensity. However, the undesirable, physical outlay of shielding the terminal yields a great disadvantage of this solution. Specifically, the quality of the protection is not defined by the card but by its environment. Thus, the card sacrifices control over its data to the environment in which the card is used.
In the manual case, the unprotected time span is substantially lengthened when the owner has the card in his hand outside the terminal device between deactivation and activation of the protection, which is an especially dangerous situation. A mobile shielding around the card that, upon introduction of the card into the terminal device, is subsumed in the afore-mentioned shielding of the latter is equally unreasonable. It should be fundamentally noted that shielding is nothing more than means for attenuating the transmission intensity. More intelligent features are not inherent therein.